darkcomet | 62095329f455650fecd65d699b6a3c5e63fe16b04ad5f09eaef8f9f671f18c5f

Analysis

max time kernel
153s
max time network
182s
platform
windows7_x64
resource
win7v20210408
submitted
14-05-2021 15:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

62095329f455650fecd65d699b6a3c5e63fe16b04ad5f09eaef8f9f671f18c5f.exe
Size

1.5MB
MD5

bc6a79b6114ed8f1121008aeb8528e22
SHA1

fc34e6014ff7aa79ffb6744aa1c02506c5162f30
SHA256

62095329f455650fecd65d699b6a3c5e63fe16b04ad5f09eaef8f9f671f18c5f
SHA512

f5034cf4764bea453dce20d8cc4e0bedad66fa018817f8a520560e4fa012c67466b802646d345092881ebd1aa4c728a2b885f18dd61b385731761649ef427f85

Score

10^/10

darkcomet persistence rat trojan upx

Malware Config

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Executes dropped EXE 3 IoCs

Processes:

test.exetest.exetest.exe

pid process

1756 test.exe
300 test.exe
676 test.exe

pid	process
1756	test.exe
300	test.exe
676	test.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/524-71-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/524-81-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/676-108-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/676-123-0x0000000000400000-0x00000000004B7000-memory.dmp	upx

Loads dropped DLL 5 IoCs

Processes:

62095329f455650fecd65d699b6a3c5e63fe16b04ad5f09eaef8f9f671f18c5f.exe

pid	process
524	62095329f455650fecd65d699b6a3c5e63fe16b04ad5f09eaef8f9f671f18c5f.exe
524	62095329f455650fecd65d699b6a3c5e63fe16b04ad5f09eaef8f9f671f18c5f.exe
524	62095329f455650fecd65d699b6a3c5e63fe16b04ad5f09eaef8f9f671f18c5f.exe
524	62095329f455650fecd65d699b6a3c5e63fe16b04ad5f09eaef8f9f671f18c5f.exe
524	62095329f455650fecd65d699b6a3c5e63fe16b04ad5f09eaef8f9f671f18c5f.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Roaming\\test\\test.exe"	reg.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

62095329f455650fecd65d699b6a3c5e63fe16b04ad5f09eaef8f9f671f18c5f.exetest.exe

description	pid	process	target process
PID 1488 set thread context of 524	1488	62095329f455650fecd65d699b6a3c5e63fe16b04ad5f09eaef8f9f671f18c5f.exe	62095329f455650fecd65d699b6a3c5e63fe16b04ad5f09eaef8f9f671f18c5f.exe
PID 1756 set thread context of 300	1756	test.exe	test.exe
PID 1756 set thread context of 676	1756	test.exe	test.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

test.exetest.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	676	test.exe
Token: SeSecurityPrivilege	676	test.exe
Token: SeTakeOwnershipPrivilege	676	test.exe
Token: SeLoadDriverPrivilege	676	test.exe
Token: SeSystemProfilePrivilege	676	test.exe
Token: SeSystemtimePrivilege	676	test.exe
Token: SeProfSingleProcessPrivilege	676	test.exe
Token: SeIncBasePriorityPrivilege	676	test.exe
Token: SeCreatePagefilePrivilege	676	test.exe
Token: SeBackupPrivilege	676	test.exe
Token: SeRestorePrivilege	676	test.exe
Token: SeShutdownPrivilege	676	test.exe
Token: SeDebugPrivilege	676	test.exe
Token: SeSystemEnvironmentPrivilege	676	test.exe
Token: SeChangeNotifyPrivilege	676	test.exe
Token: SeRemoteShutdownPrivilege	676	test.exe
Token: SeUndockPrivilege	676	test.exe
Token: SeManageVolumePrivilege	676	test.exe
Token: SeImpersonatePrivilege	676	test.exe
Token: SeCreateGlobalPrivilege	676	test.exe
Token: 33	676	test.exe
Token: 34	676	test.exe
Token: 35	676	test.exe
Token: SeDebugPrivilege	300	test.exe
Token: SeDebugPrivilege	300	test.exe
Token: SeDebugPrivilege	300	test.exe
Token: SeDebugPrivilege	300	test.exe
Token: SeDebugPrivilege	300	test.exe
Token: SeDebugPrivilege	300	test.exe
Token: SeDebugPrivilege	300	test.exe
Token: SeDebugPrivilege	300	test.exe
Token: SeDebugPrivilege	300	test.exe
Token: SeDebugPrivilege	300	test.exe
Token: SeDebugPrivilege	300	test.exe
Token: SeDebugPrivilege	300	test.exe
Token: SeDebugPrivilege	300	test.exe
Token: SeDebugPrivilege	300	test.exe
Token: SeDebugPrivilege	300	test.exe
Token: SeDebugPrivilege	300	test.exe
Token: SeDebugPrivilege	300	test.exe
Token: SeDebugPrivilege	300	test.exe
Token: SeDebugPrivilege	300	test.exe
Token: SeDebugPrivilege	300	test.exe
Token: SeDebugPrivilege	300	test.exe
Token: SeDebugPrivilege	300	test.exe
Token: SeDebugPrivilege	300	test.exe
Token: SeDebugPrivilege	300	test.exe
Token: SeDebugPrivilege	300	test.exe
Token: SeDebugPrivilege	300	test.exe
Token: SeDebugPrivilege	300	test.exe
Token: SeDebugPrivilege	300	test.exe
Token: SeDebugPrivilege	300	test.exe
Token: SeDebugPrivilege	300	test.exe
Token: SeDebugPrivilege	300	test.exe
Token: SeDebugPrivilege	300	test.exe
Token: SeDebugPrivilege	300	test.exe
Token: SeDebugPrivilege	300	test.exe
Token: SeDebugPrivilege	300	test.exe
Token: SeDebugPrivilege	300	test.exe
Token: SeDebugPrivilege	300	test.exe
Token: SeDebugPrivilege	300	test.exe
Token: SeDebugPrivilege	300	test.exe
Token: SeDebugPrivilege	300	test.exe
Token: SeDebugPrivilege	300	test.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

62095329f455650fecd65d699b6a3c5e63fe16b04ad5f09eaef8f9f671f18c5f.exe62095329f455650fecd65d699b6a3c5e63fe16b04ad5f09eaef8f9f671f18c5f.exetest.exetest.exe

pid	process
1488	62095329f455650fecd65d699b6a3c5e63fe16b04ad5f09eaef8f9f671f18c5f.exe
524	62095329f455650fecd65d699b6a3c5e63fe16b04ad5f09eaef8f9f671f18c5f.exe
1756	test.exe
300	test.exe

Suspicious use of WriteProcessMemory 36 IoCs

Processes:

62095329f455650fecd65d699b6a3c5e63fe16b04ad5f09eaef8f9f671f18c5f.exe62095329f455650fecd65d699b6a3c5e63fe16b04ad5f09eaef8f9f671f18c5f.execmd.exetest.exe

description	pid	process	target process
PID 1488 wrote to memory of 524	1488	62095329f455650fecd65d699b6a3c5e63fe16b04ad5f09eaef8f9f671f18c5f.exe	62095329f455650fecd65d699b6a3c5e63fe16b04ad5f09eaef8f9f671f18c5f.exe
PID 1488 wrote to memory of 524	1488	62095329f455650fecd65d699b6a3c5e63fe16b04ad5f09eaef8f9f671f18c5f.exe	62095329f455650fecd65d699b6a3c5e63fe16b04ad5f09eaef8f9f671f18c5f.exe
PID 1488 wrote to memory of 524	1488	62095329f455650fecd65d699b6a3c5e63fe16b04ad5f09eaef8f9f671f18c5f.exe	62095329f455650fecd65d699b6a3c5e63fe16b04ad5f09eaef8f9f671f18c5f.exe
PID 1488 wrote to memory of 524	1488	62095329f455650fecd65d699b6a3c5e63fe16b04ad5f09eaef8f9f671f18c5f.exe	62095329f455650fecd65d699b6a3c5e63fe16b04ad5f09eaef8f9f671f18c5f.exe
PID 1488 wrote to memory of 524	1488	62095329f455650fecd65d699b6a3c5e63fe16b04ad5f09eaef8f9f671f18c5f.exe	62095329f455650fecd65d699b6a3c5e63fe16b04ad5f09eaef8f9f671f18c5f.exe
PID 1488 wrote to memory of 524	1488	62095329f455650fecd65d699b6a3c5e63fe16b04ad5f09eaef8f9f671f18c5f.exe	62095329f455650fecd65d699b6a3c5e63fe16b04ad5f09eaef8f9f671f18c5f.exe
PID 1488 wrote to memory of 524	1488	62095329f455650fecd65d699b6a3c5e63fe16b04ad5f09eaef8f9f671f18c5f.exe	62095329f455650fecd65d699b6a3c5e63fe16b04ad5f09eaef8f9f671f18c5f.exe
PID 1488 wrote to memory of 524	1488	62095329f455650fecd65d699b6a3c5e63fe16b04ad5f09eaef8f9f671f18c5f.exe	62095329f455650fecd65d699b6a3c5e63fe16b04ad5f09eaef8f9f671f18c5f.exe
PID 524 wrote to memory of 316	524	62095329f455650fecd65d699b6a3c5e63fe16b04ad5f09eaef8f9f671f18c5f.exe	cmd.exe
PID 524 wrote to memory of 316	524	62095329f455650fecd65d699b6a3c5e63fe16b04ad5f09eaef8f9f671f18c5f.exe	cmd.exe
PID 524 wrote to memory of 316	524	62095329f455650fecd65d699b6a3c5e63fe16b04ad5f09eaef8f9f671f18c5f.exe	cmd.exe
PID 524 wrote to memory of 316	524	62095329f455650fecd65d699b6a3c5e63fe16b04ad5f09eaef8f9f671f18c5f.exe	cmd.exe
PID 316 wrote to memory of 1776	316	cmd.exe	reg.exe
PID 316 wrote to memory of 1776	316	cmd.exe	reg.exe
PID 316 wrote to memory of 1776	316	cmd.exe	reg.exe
PID 316 wrote to memory of 1776	316	cmd.exe	reg.exe
PID 524 wrote to memory of 1756	524	62095329f455650fecd65d699b6a3c5e63fe16b04ad5f09eaef8f9f671f18c5f.exe	test.exe
PID 524 wrote to memory of 1756	524	62095329f455650fecd65d699b6a3c5e63fe16b04ad5f09eaef8f9f671f18c5f.exe	test.exe
PID 524 wrote to memory of 1756	524	62095329f455650fecd65d699b6a3c5e63fe16b04ad5f09eaef8f9f671f18c5f.exe	test.exe
PID 524 wrote to memory of 1756	524	62095329f455650fecd65d699b6a3c5e63fe16b04ad5f09eaef8f9f671f18c5f.exe	test.exe
PID 1756 wrote to memory of 300	1756	test.exe	test.exe
PID 1756 wrote to memory of 300	1756	test.exe	test.exe
PID 1756 wrote to memory of 300	1756	test.exe	test.exe
PID 1756 wrote to memory of 300	1756	test.exe	test.exe
PID 1756 wrote to memory of 300	1756	test.exe	test.exe
PID 1756 wrote to memory of 300	1756	test.exe	test.exe
PID 1756 wrote to memory of 300	1756	test.exe	test.exe
PID 1756 wrote to memory of 300	1756	test.exe	test.exe
PID 1756 wrote to memory of 676	1756	test.exe	test.exe
PID 1756 wrote to memory of 676	1756	test.exe	test.exe
PID 1756 wrote to memory of 676	1756	test.exe	test.exe
PID 1756 wrote to memory of 676	1756	test.exe	test.exe
PID 1756 wrote to memory of 676	1756	test.exe	test.exe
PID 1756 wrote to memory of 676	1756	test.exe	test.exe
PID 1756 wrote to memory of 676	1756	test.exe	test.exe
PID 1756 wrote to memory of 676	1756	test.exe	test.exe

C:\Users\Admin\AppData\Local\Temp\62095329f455650fecd65d699b6a3c5e63fe16b04ad5f09eaef8f9f671f18c5f.exe
"C:\Users\Admin\AppData\Local\Temp\62095329f455650fecd65d699b6a3c5e63fe16b04ad5f09eaef8f9f671f18c5f.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1488

C:\Users\Admin\AppData\Local\Temp\62095329f455650fecd65d699b6a3c5e63fe16b04ad5f09eaef8f9f671f18c5f.exe
"C:\Users\Admin\AppData\Local\Temp\62095329f455650fecd65d699b6a3c5e63fe16b04ad5f09eaef8f9f671f18c5f.exe"
2⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:524

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\QNMQD.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:316

C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "svchost" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\test\test.exe" /f
4⤵
- Adds Run key to start application
PID:1776

C:\Users\Admin\AppData\Roaming\test\test.exe
"C:\Users\Admin\AppData\Roaming\test\test.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1756

C:\Users\Admin\AppData\Roaming\test\test.exe
"C:\Users\Admin\AppData\Roaming\test\test.exe"
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:300

C:\Users\Admin\AppData\Roaming\test\test.exe
"C:\Users\Admin\AppData\Roaming\test\test.exe"
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:676

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\QNMQD.bat
MD5
527683c48cc4c7190219814c77b72fe0

SHA1
d995878a8f4b9824a0508039eeada5376be9a52d

SHA256
bbebf3e66136e700d8e3e2e0c8f461cdd9d7e68fe5a18a235afe86344932fb4b

SHA512
408a53b240c23fa34153ccc2b2315f28a9741121ecc9b76d50267ee62d78230e65574327369f83c779c781802c0c28f6c578703c01a67de46c3d44f71b814fa6

Download Submit
C:\Users\Admin\AppData\Roaming\test\test.exe
MD5
1383cc94508b95167bf3af520ce4de6a

SHA1
be7d868dfa7e1c7e001b38fc9c07baf7390f16ad

SHA256
8f6ef2899e3ed58a2271062f97ffc73b86742f580d80dea23831596d798c6b44

SHA512
3dbce5d95db592fe803c361e8cb4c10858eb1e288e365a693236ba2ed647e7ccddacbf9fcdae352240e07f14e357c8585558dae21ac0fd7b382eea47855cc2e1

Download Submit
C:\Users\Admin\AppData\Roaming\test\test.exe
MD5
1383cc94508b95167bf3af520ce4de6a

SHA1
be7d868dfa7e1c7e001b38fc9c07baf7390f16ad

SHA256
8f6ef2899e3ed58a2271062f97ffc73b86742f580d80dea23831596d798c6b44

SHA512
3dbce5d95db592fe803c361e8cb4c10858eb1e288e365a693236ba2ed647e7ccddacbf9fcdae352240e07f14e357c8585558dae21ac0fd7b382eea47855cc2e1

Download Submit
C:\Users\Admin\AppData\Roaming\test\test.exe
MD5
1383cc94508b95167bf3af520ce4de6a

SHA1
be7d868dfa7e1c7e001b38fc9c07baf7390f16ad

SHA256
8f6ef2899e3ed58a2271062f97ffc73b86742f580d80dea23831596d798c6b44

SHA512
3dbce5d95db592fe803c361e8cb4c10858eb1e288e365a693236ba2ed647e7ccddacbf9fcdae352240e07f14e357c8585558dae21ac0fd7b382eea47855cc2e1

Download Submit
C:\Users\Admin\AppData\Roaming\test\test.exe
MD5
1383cc94508b95167bf3af520ce4de6a

SHA1
be7d868dfa7e1c7e001b38fc9c07baf7390f16ad

SHA256
8f6ef2899e3ed58a2271062f97ffc73b86742f580d80dea23831596d798c6b44

SHA512
3dbce5d95db592fe803c361e8cb4c10858eb1e288e365a693236ba2ed647e7ccddacbf9fcdae352240e07f14e357c8585558dae21ac0fd7b382eea47855cc2e1

Download Submit
\Users\Admin\AppData\Roaming\test\test.exe
MD5
1383cc94508b95167bf3af520ce4de6a

SHA1
be7d868dfa7e1c7e001b38fc9c07baf7390f16ad

SHA256
8f6ef2899e3ed58a2271062f97ffc73b86742f580d80dea23831596d798c6b44

SHA512
3dbce5d95db592fe803c361e8cb4c10858eb1e288e365a693236ba2ed647e7ccddacbf9fcdae352240e07f14e357c8585558dae21ac0fd7b382eea47855cc2e1

Download Submit
\Users\Admin\AppData\Roaming\test\test.exe
MD5
1383cc94508b95167bf3af520ce4de6a

SHA1
be7d868dfa7e1c7e001b38fc9c07baf7390f16ad

SHA256
8f6ef2899e3ed58a2271062f97ffc73b86742f580d80dea23831596d798c6b44

SHA512
3dbce5d95db592fe803c361e8cb4c10858eb1e288e365a693236ba2ed647e7ccddacbf9fcdae352240e07f14e357c8585558dae21ac0fd7b382eea47855cc2e1

Download Submit
\Users\Admin\AppData\Roaming\test\test.exe
MD5
1383cc94508b95167bf3af520ce4de6a

SHA1
be7d868dfa7e1c7e001b38fc9c07baf7390f16ad

SHA256
8f6ef2899e3ed58a2271062f97ffc73b86742f580d80dea23831596d798c6b44

SHA512
3dbce5d95db592fe803c361e8cb4c10858eb1e288e365a693236ba2ed647e7ccddacbf9fcdae352240e07f14e357c8585558dae21ac0fd7b382eea47855cc2e1

Download Submit
\Users\Admin\AppData\Roaming\test\test.exe
MD5
1383cc94508b95167bf3af520ce4de6a

SHA1
be7d868dfa7e1c7e001b38fc9c07baf7390f16ad

SHA256
8f6ef2899e3ed58a2271062f97ffc73b86742f580d80dea23831596d798c6b44

SHA512
3dbce5d95db592fe803c361e8cb4c10858eb1e288e365a693236ba2ed647e7ccddacbf9fcdae352240e07f14e357c8585558dae21ac0fd7b382eea47855cc2e1

Download Submit
\Users\Admin\AppData\Roaming\test\test.exe
MD5
1383cc94508b95167bf3af520ce4de6a

SHA1
be7d868dfa7e1c7e001b38fc9c07baf7390f16ad

SHA256
8f6ef2899e3ed58a2271062f97ffc73b86742f580d80dea23831596d798c6b44

SHA512
3dbce5d95db592fe803c361e8cb4c10858eb1e288e365a693236ba2ed647e7ccddacbf9fcdae352240e07f14e357c8585558dae21ac0fd7b382eea47855cc2e1

Download Submit
memory/300-106-0x00000000004085D0-mapping.dmp

Download
memory/316-83-0x0000000000000000-mapping.dmp

Download
memory/524-72-0x00000000004085D0-mapping.dmp

Download
memory/524-81-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/524-82-0x0000000075801000-0x0000000075803000-memory.dmp

Filesize
8KB

Download
memory/524-71-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/676-123-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/676-124-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/676-109-0x00000000004B5640-mapping.dmp

Download
memory/676-108-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1488-70-0x0000000000401000-0x0000000000546000-memory.dmp

Filesize
1.3MB

Download
memory/1488-69-0x0000000000401000-0x0000000000546000-memory.dmp

Filesize
1.3MB

Download
memory/1488-78-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/1488-75-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1488-77-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/1488-68-0x0000000000401000-0x0000000000546000-memory.dmp

Filesize
1.3MB

Download
memory/1488-79-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/1488-76-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/1488-67-0x0000000000401000-0x0000000000546000-memory.dmp

Filesize
1.3MB

Download
memory/1488-66-0x0000000000401000-0x0000000000546000-memory.dmp

Filesize
1.3MB

Download
memory/1488-64-0x0000000000401000-0x0000000000546000-memory.dmp

Filesize
1.3MB

Download
memory/1488-60-0x0000000000400000-0x000000000054B000-memory.dmp

Filesize
1.3MB

Download
memory/1488-80-0x00000000002C0000-0x00000000002C1000-memory.dmp

Filesize
4KB

Download
memory/1488-63-0x0000000000401000-0x0000000000546000-memory.dmp

Filesize
1.3MB

Download
memory/1756-91-0x0000000000000000-mapping.dmp

Download
memory/1776-85-0x0000000000000000-mapping.dmp

Download